b"           OFFICE OF\n    THE INSPECTOR GENERAL\n\nSOCIAL SECURITY ADMINISTRATION\n\n\n     UNIVERSITIES\xe2\x80\x99 USE OF SOCIAL\n    SECURITY NUMBERS AS STUDENT\n       IDENTIFIERS IN REGION II\n\n\n     July 2005    A-02-05-25104\n\n\n\n\n AUDIT REPORT\n\x0c                                   Mission\n\nWe improve SSA programs and operations and protect them against fraud, waste,\nand abuse by conducting independent and objective audits, evaluations, and\ninvestigations. We provide timely, useful, and reliable information and advice to\nAdministration officials, the Congress, and the public.\n\n                                   Authority\nThe Inspector General Act created independent audit and investigative units,\ncalled the Office of Inspector General (OIG). The mission of the OIG, as spelled\nout in the Act, is to:\n\n  \xc2\x81 Conduct and supervise independent and objective audits and\n    investigations relating to agency programs and operations.\n  \xc2\x81 Promote economy, effectiveness, and efficiency within the agency.\n  \xc2\x81 Prevent and detect fraud, waste, and abuse in agency programs and\n    operations.\n  \xc2\x81 Review and make recommendations regarding existing and proposed\n    legislation and regulations relating to agency programs and operations.\n  \xc2\x81 Keep the agency head and the Congress fully and currently informed of\n    problems in agency programs and operations.\n\n  To ensure objectivity, the IG Act empowers the IG with:\n\n  \xc2\x81 Independence to determine what reviews to perform.\n  \xc2\x81 Access to all information necessary for the reviews.\n  \xc2\x81 Authority to publish findings and recommendations based on the reviews.\n\n                                     Vision\nBy conducting independent and objective audits, investigations, and evaluations,\nwe are agents of positive change striving for continuous improvement in the\nSocial Security Administration's programs, operations, and management and in\nour own office.\n\x0c                                           SOCIAL SECURITY\nMEMORANDUM\n\nDate:   July 27, 2005                                                                     Refer To:\n\nTo:     Beatrice M. Disman\n        Regional Commissioner\n         New York\n\nFrom:   Inspector General\n\nSubject: Universities\xe2\x80\x99 Use of Social Security Numbers as Student Identifiers in Region II\n        (A-02-05-25104)\n\n\n        OBJECTIVE\n\n        Our objective was to assess universities\xe2\x80\x99 use of Social Security numbers (SSN) as\n        student identifiers in Region II and the potential risks associated with such use.1\n\n        BACKGROUND\n\n        Millions of students enroll in educational institutions each year. To assist in this\n        process, many colleges and universities use students\xe2\x80\x99 SSNs as personal identifiers.\n        The American Association of Collegiate Registrars and Admissions Officers found that\n        almost half (1,036) of member institutions that responded to a 2002 survey used SSNs\n        as the primary student identifier.2\n\n        The potential for identity theft increases each time an individual\xe2\x80\x99s SSN is divulged.\n        Recent incidents of identity theft at universities have led some schools to reconsider the\n        practice of using SSNs as the primary student identifier. However, at many universities,\n        students continue to be identified by their SSN.\n\n        The Privacy Act of 1974, Family Educational Rights and Privacy Act (FERPA), Social\n        Security Act, and New York State Educational Law contain provisions that govern\n        disclosure and use of SSNs. For example, FERPA requires that educational\n        institutions, which receive funds under an applicable program of the U.S. Department of\n        Education, have written permission from the parent or eligible student to release or\n        display any personally identifiable information from a student\xe2\x80\x99s education record.\n\n        1\n            Region II consists of New York, New Jersey, Puerto Rico and the U.S. Virgin Islands.\n        2\n         Academic Transcripts and Records: Survey of Current Practices, April 2002 Special Report, the\n        American Association of Collegiate Registrars and Admissions Officers.\n\x0cPage 2 \xe2\x80\x93 Beatrice M. Disman\n\n\nSimilarly, the New York State Educational Law prohibits, in most cases, universities in\nNew York State from displaying SSNs on students\xe2\x80\x99 public listing of grades, class rosters\nor other lists provided to teachers; student identification (ID) cards; or in student\ndirectories or similar listings.3 See Appendix B for more information on specific legal\nprovisions.\n\nWe selected a sample of seven universities in Region II.4 For each selected school, we\ninterviewed university personnel and reviewed school policies and practices for the use\nof SSNs. We also coordinated with the Social Security Administration\xe2\x80\x99s Office of\nGeneral Counsel and the Department of Education\xe2\x80\x99s Office of the Inspector General for\nfurther clarification on laws related to universities\xe2\x80\x99 use of SSNs. See Appendix C for a\nfull description of our scope and methodology.\n\nRESULTS OF REVIEW\nOur review showed that the SSN was the primary method of student ID for four of the\nseven universities we selected. We also identified three universities in the region that\ndid not use the SSN as the primary student identifier. The use of the SSN as the\nprimary student identifier made the SSN vulnerable to risk of identity theft.\n\nFOUR UNIVERSITIES USED THE SSN AS PRIMARY STUDENT IDENTIFIER\n\nDespite the increasing threat of identity theft, officials from four universities stated that\ntheir schools used the SSN as the primary student identifier. Two examples follow.\n\n\xe2\x80\xa2     ID Cards: Officials from three of the four universities stated the SSN appeared on\n      student ID cards. One university official stated that students\xe2\x80\x99 SSNs were displayed\n      on the back of ID cards. In general, the student SSN was also printed on receipts\n      from the library and bookstore and on overdue book notices that were mailed to\n      students.\n\n\xe2\x80\xa2     Postcards: Officials from three universities stated that SSNs were collected on\n      postcards. The postcards were sent to students from their respective schools to\n      obtain information.\n\nIn addition, we found that officials from each of the four universities stated the SSN was\nused to access the Internet and/or other computer systems. Although the Internet and\nmost computer systems use an encryption to prevent identity theft, it is still possible the\nsystem could be hacked into. Additionally, in some cases, forms that were accessible\nto students in the universities\xe2\x80\x99 computer systems clearly displayed students\xe2\x80\x99 SSNs when\nthey were printed.\n\n3\n New Jersey has also enacted a similar law restricting universities\xe2\x80\x99 use of SSNs, which will become\neffective January 26, 2006. See Appendix B for more information on this specific legislation.\n4\n    The term \xe2\x80\x9cuniversities\xe2\x80\x9d will be used to include both colleges and universities.\n\x0cPage 3 \xe2\x80\x93 Beatrice M. Disman\n\n\nWhen asked why the SSN was used as a student identifier, some officials informed us\nthey were unaware of any legislation limiting the use of the SSN. Those who were\naware of legislation cited the cost of converting to a new identifier system as a barrier.\nOne official stated that plans to eliminate the use of SSNs as the primary student\nidentifier have been addressed but have not yet been formally adopted. The clear\ndisplay of students\xe2\x80\x99 SSNs on cards and documents that may have been seen and\naccessed by other individuals made the number vulnerable to identity theft.\n\nTHREE UNIVERSITIES DID NOT USE THE SSN AS PRIMARY STUDENT\nIDENTIFIER\n\nOur review found that three universities did not use the SSN as the primary student\nidentifier. An official from one of the universities in New Jersey selected for our review\nstated they no longer used the SSN as the primary student identifier. New York has\nenacted a law that regulates universities\xe2\x80\x99 SSN use. The New York State Education\nLaw5 prohibits the display of a student\xe2\x80\x99s SSN on \xe2\x80\x9c\xe2\x80\xa6public listing[s] of grades, on class\nrosters or other lists provided to teachers, student identification cards, [and] in student\ndirectories or similar listings\xe2\x80\xa6unless specifically authorized or required by law....\xe2\x80\x9d\nAccordingly, the two universities in New York did not use the SSN as the primary\nstudent identifier.\n\nIn previous preliminary research conducted by the Office of the Inspector General,\nwhich did not result in an audit report, one of the universities selected in\nNew York State for our review requested students\xe2\x80\x99 SSNs on postcards. The university\nhas changed this practice. A university official stated that the SSN was no longer\nrequested on postcards.\n\nThe same official informed us the university did not use the SSN as the primary student\nID. The university uses a computer-generated student ID number as a primary student\nID. When registering for classes, students use a logon ID and password. The last six\ndigits of the SSN is the initial password, but students are prompted to change this at the\nfirst logon. The same course of action applies when students initially access on-line\nservices. However, the requirement to enter the last six digits of the SSN will be\neliminated when the university\xe2\x80\x99s new Student Information System is implemented,\ntentatively scheduled for 2007. Although, the school\xe2\x80\x99s undergraduate and graduate\nadmission applications request the SSN, we noted that providing an SSN was not\nmandatory for admission.\n\nAn official at the other New York State university stated that the school did not use the\nSSN as the primary student identifier. Specifically, a new system of ID was\nimplemented in November 2002. This conversion was done to comply with the New\nYork State Education Law regarding the use and display of the SSN. The system\ngenerates ID numbers for students. According to university personnel, these ID\nnumbers are called X-numbers (eight-digit ID numbers beginning with the letter X).\n\n5\n    NY CLS Edu \xc2\xa7 2-b.\n\x0cPage 4 \xe2\x80\x93 Beatrice M. Disman\n\n\nAll university employees and students have X-numbers for ID. On-line services at the\nuniversity do not require the student\xe2\x80\x99s SSN. The SSN appears as an asterisk on the\nform for requesting transcripts.\n\nCONCLUSION AND RECOMMENDATIONS\n\nWe found that SSNs were vulnerable to identity theft at four of the universities we\ncontacted since they used the SSN as a primary student ID. The schools used the\nSSNs in ways that potentially exposed them to individuals other than the\nnumberholders. While we recognize the Social Security Administration cannot directly\nprohibit universities from using SSNs, it can help reduce potential threats by\nencouraging schools to limit SSN use. Additionally, the Department of Education\xe2\x80\x99s\nFamily Policy Compliance Office provides technical assistance to universities covered\nby FERPA to ensure compliance with the Act. The Social Security Administration could\nwork with the Family Policy Compliance Office to help better educate universities that\nappear to be in noncompliance with FERPA.\n\nAccordingly, we recommend that the Regional Commissioner:\n\n1. Contact the universities that used the SSN as the primary student identifier, and\n   others in the region, to educate the community about the potential risks associated\n   with using SSNs as student identifiers.\n\n2. Ask the Department of Education\xe2\x80\x99s Family Policy Compliance Office to assist those\n   universities in Region II that use the SSN as the primary student identifier to ensure\n   they are complying with FERPA.\n\nAGENCY COMMENTS\n\nThe Agency agreed with our recommendations and has initiated corrective actions. The\nAgency\xe2\x80\x99s comments are included in Appendix D.\n\n\n\n\n                                                S\n                                                Patrick P. O\xe2\x80\x99Carroll, Jr.\n\x0c                                     Appendices\nAPPENDIX A \xe2\x80\x93 Acronyms\nAPPENDIX B \xe2\x80\x93 Federal and State Laws that Govern Disclosure and Use of the\n             Social Security Number\nAPPENDIX C \xe2\x80\x93 Scope and Methodology\nAPPENDIX D \xe2\x80\x93 Agency Comments\nAPPENDIX E \xe2\x80\x93 OIG Contacts and Staff Acknowledgments\n\x0c                                                          Appendix A\n\nAcronyms\nC.F.R.        Code of Federal Regulations\nFERPA         Family Educational Rights and Privacy Act\nID            Identification\nOIG           Office of the Inspector General\nPub. L. No.   Public Law Number\nSSN           Social Security Number\nU.S.C.        United States Code\n\x0c                                                                                   Appendix B\n\nFederal and State Laws that Govern Disclosure\nand Use of the Social Security Number\nThe following laws establish a general framework for disclosing and using the Social\nSecurity number (SSN).\n\nThe Privacy Act of 1974 (5 U.S.C. \xc2\xa7 552a; Pub. L. No. 93-579, \xc2\xa7\xc2\xa7 7(a) and 7(b)\n\nThe Privacy Act of 1974 provides that it is unlawful for a State government agency to\ndeny any person a right, benefit, or privilege provided by law based on the individual\xe2\x80\x99s\nrefusal to disclose their SSN, unless such disclosure was required to verify the\nindividual\xe2\x80\x99s identity under a statute or regulation in effect before January 1, 1975.\nFurther, under Section 7(b), a State agency requesting that an individual disclose their\nSSN must inform the individual whether the disclosure is voluntary or mandatory, by\nwhat statutory or other authority the SSN is solicited, and what uses will be made of the\nSSN.\n\nThe Family Educational Rights and Privacy Act (20 U.S.C. \xc2\xa7 1232g; 34 C.F.R. Part 99)\n\nThe Family Educational Rights and Privacy Act (FERPA) protects the privacy of student\neducation records. FERPA applies to those schools that receive funds under an\napplicable program of the U.S. Department of Education. Under FERPA, an\neducational institution must have written permission from the parent or eligible student\nto release any personally identifiable information (which include SSNs) from a student\xe2\x80\x99s\neducation record.6 FERPA does, however, provide certain exceptions in which a school\nis allowed to disclose records without consent. These exceptions include disclosure\nwithout consent to university personnel internally who have a legitimate educational\ninterest in the information, to officials of institutions where the student is seeking to\nenroll/transfer, to parties to whom the student is applying for financial aid, to the parent\nof a dependent student, to appropriate parties in compliance with a judicial order or\nlawfully issued subpoena, or to health care providers in the event of a health or safety\nemergency.\n\n\n\n\n1\n  FERPA gives parents certain rights with respect to their children\xe2\x80\x99s education records. These rights\ntransfer to the child when the child reaches the age of 18 or attends an institution of postsecondary\neducation. Children that have been transferred these rights are referred to as \xe2\x80\x9celigible students.\xe2\x80\x9d\n\n\n                                                        B-1\n\x0cThe Social Security Act\n\nThe Social Security Act states, \xe2\x80\x9c[s]ocial security account numbers and related records\nthat are obtained or maintained by authorized persons pursuant to any provision of law,\nenacted on or after October 1, 1990, shall be confidential, and no authorized person\nshall disclose any such social security account number or related record.\xe2\x80\x9d (42 U.S.C. \xc2\xa7\n405(c)(2)(C)(viii)). The Social Security Act also states, \xe2\x80\x9c\xe2\x80\xa6[w]hoever discloses, uses, or\ncompels the disclosure of the social security number of any person in violation of the\nlaws of the United States; shall be guilty of a felony\xe2\x80\xa6\xe2\x80\x9d (42 U.S.C. \xc2\xa7 408(a)(8)).\n\nNew York Education Code (NY CLS Edu \xc2\xa7 2-b.)\n\nUse of student SSNs is restricted. \xe2\x80\x9cNo public or private\xe2\x80\xa6 [university] shall display any\nstudent\xe2\x80\x99s social security number to identify such student for posting or public listing of\ngrades, on class rosters or other lists provided to teachers, on student identification\ncards, in student directories or similar listings, or, unless specifically authorized or\nrequired by law, for any public identification purpose.\xe2\x80\x9d\n\nNew Jersey Annotated Statutes (N.J. Stat \xc2\xa718A:3-28)\n\nUse of student SSNs is restricted. \xe2\x80\x9cNo public or independent institution of higher\neducation in the State shall display any student\xe2\x80\x99s social security number to identify that\nstudent for posting or public listing of grades, on class rosters or other lists provided to\nteachers, on student identification cards, in student directories or similar listings, unless\notherwise required in accordance with applicable State or federal law.\xe2\x80\x9d This law\nbecomes effective January 26, 2006.\n\n\n\n\n                                                 B-2\n\x0c                                                                        Appendix C\n\nScope and Methodology\nTo accomplish our objective, we:\n\n\xe2\x80\xa2   interviewed selected university personnel responsible for student\n    admissions/registrations;\n\n\xe2\x80\xa2   reviewed Internet websites of seven universities that we either visited or interviewed\n    by telephone;\n\n\xe2\x80\xa2   reviewed applicable laws and regulations;\n\n\xe2\x80\xa2   reviewed selected studies, articles and reports regarding universities\xe2\x80\x99 use of Social\n    Security numbers (SSNs) as student identifiers;\n\n\xe2\x80\xa2   coordinated with the Social Security Administration\xe2\x80\x99s Office of General Counsel in\n    Region II and the Department of Education Office of the Inspector General to further\n    clarify use of SSNs as a primary student identifier as it relates to universities.\n\nWe visited two universities and conducted telephone interviews with officials at five\nother universities to assess their uses of the SSNs as student identifiers. The scope of\nour audit was to select two universities in each area of Region II. In each area,\n1 university had an enrollment of 15,000 or more students, and the other had an\nenrollment of 14,999 or less. Our review of internal controls was limited to gaining an\nunderstanding of universities\xe2\x80\x99 policies over the collection, protection, use and disclosure\nof SSNs. We conducted our field work from December 2004 through February 2005.\nOur audit was conducted in accordance with generally accepted government auditing\nstandards.\n\x0c                  Appendix D\n\nAgency Comments\n\x0c                                          SOCIAL SECURITY\n\nMEMORANDUM\n\n\nDate:       July 14, 2005                                                          Refer To: S2D2\n\nTo:         Inspector General\nFrom:       Regional Commissioner\n            New York\nSubject:    OIG Draft Report On Universities\xe2\x80\x99 Use Of Social Security Numbers As Student Identifiers in\n            Region II, Audit No. 22005016 \xe2\x80\x93 REPLY\n\n           We have reviewed the draft report and are in agreement with the recommendations made by the\n           OIG. Following are our actions to date:\n\n           Recommendation 1: Three of the universities that used the SSN as the primary student\n           identifier are located in Puerto Rico and the fourth is in New Jersey. We have asked our Area\n           Directors for those geographic areas to initiate our efforts to meet with the universities.\n\n           Recommendation 2: We will ask, if necessary, the Department of Education\xe2\x80\x99s Family Policy\n           Compliance Office to assist those universities that use the SSN as the primary student identifier\n           to ensure they are complying with FERPA.\n\n           Should your staff have any questions, they may contact Dennis Mass, Director, Center for\n           Programs Support at 212 264-4004.\n\n\n\n                                                                       /s/\n                                                                Beatrice M. Disman\n\x0c                                                                      Appendix E\n\nOIG Contacts and Staff Acknowledgments\nOIG Contacts\n\n   Tim Nee, Director, (212) 264-5295\n\n   Vicki Abril, Lead Auditor, (212) 264-0504\n\nAcknowledgments\n\nIn addition to those named above:\n\n   Abraham Pierre, Auditor in Charge\n\n   Denise Molloy, Program Analyst\n\nFor additional copies of this report, please visit our web site at\nwww.socialsecurity.gov/oig or contact the Office of the Inspector General\xe2\x80\x99s Public\nAffairs Specialist at (410) 965-3218. Refer to Common Identification\nNumber A-02-05-25104.\n\x0c                           DISTRIBUTION SCHEDULE\n\nCommissioner of Social Security\nOffice of Management and Budget, Income Maintenance Branch\nChairman and Ranking Member, Committee on Ways and Means\nChief of Staff, Committee on Ways and Means\nChairman and Ranking Minority Member, Subcommittee on Social Security\nMajority and Minority Staff Director, Subcommittee on Social Security\nChairman and Ranking Minority Member, Subcommittee on Human Resources\nChairman and Ranking Minority Member, Committee on Budget, House of\nRepresentatives\nChairman and Ranking Minority Member, Committee on Government Reform and\nOversight\nChairman and Ranking Minority Member, Committee on Governmental Affairs\nChairman and Ranking Minority Member, Committee on Appropriations, House of\nRepresentatives\nChairman and Ranking Minority, Subcommittee on Labor, Health and Human Services,\nEducation and Related Agencies, Committee on Appropriations,\n House of Representatives\nChairman and Ranking Minority Member, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Subcommittee on Labor, Health and Human\nServices, Education and Related Agencies, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Committee on Finance\nChairman and Ranking Minority Member, Subcommittee on Social Security and Family\nPolicy\nChairman and Ranking Minority Member, Senate Special Committee on Aging\nSocial Security Advisory Board\n\x0c               Overview of the Office of the Inspector General\nThe Office of the Inspector General (OIG) is comprised of our Office of Investigations (OI),\nOffice of Audit (OA), Office of the Chief Counsel to the Inspector General (OCCIG), and Office\nof Executive Operations (OEO). To ensure compliance with policies and procedures, internal\ncontrols, and professional standards, we also have a comprehensive Professional Responsibility\nand Quality Assurance program.\n                                        Office of Audit\nOA conducts and/or supervises financial and performance audits of the Social Security\nAdministration\xe2\x80\x99s (SSA) programs and operations and makes recommendations to ensure\nprogram objectives are achieved effectively and efficiently. Financial audits assess whether\nSSA\xe2\x80\x99s financial statements fairly present SSA\xe2\x80\x99s financial position, results of operations, and cash\nflow. Performance audits review the economy, efficiency, and effectiveness of SSA\xe2\x80\x99s programs\nand operations. OA also conducts short-term management and program evaluations and projects\non issues of concern to SSA, Congress, and the general public.\n\n\n                                    Office of Investigations\nOI conducts and coordinates investigative activity related to fraud, waste, abuse, and\nmismanagement in SSA programs and operations. This includes wrongdoing by applicants,\nbeneficiaries, contractors, third parties, or SSA employees performing their official duties. This\noffice serves as OIG liaison to the Department of Justice on all matters relating to the\ninvestigations of SSA programs and personnel. OI also conducts joint investigations with other\nFederal, State, and local law enforcement agencies.\n\n\n                  Office of the Chief Counsel to the Inspector General\nOCCIG provides independent legal advice and counsel to the IG on various matters, including\nstatutes, regulations, legislation, and policy directives. OCCIG also advises the IG on\ninvestigative procedures and techniques, as well as on legal implications and conclusions to be\ndrawn from audit and investigative material. Finally, OCCIG administers the Civil Monetary\nPenalty program.\n                               Office of Executive Operations\nOEO supports OIG by providing information resource management and systems security. OEO\nalso coordinates OIG\xe2\x80\x99s budget, procurement, telecommunications, facilities, and human\nresources. In addition, OEO is the focal point for OIG\xe2\x80\x99s strategic planning function and the\ndevelopment and implementation of performance measures required by the Government\nPerformance and Results Act of 1993.\n\x0c"